Sophie

Sophie

distrib > Scientific%20Linux > 5x > x86_64 > by-pkgid > 27922b4260f65d317aabda37e42bbbff > files > 2553

kernel-2.6.18-238.el5.src.rpm

From: Anton Arapov <aarapov@redhat.com>
Date: Fri, 30 May 2008 10:51:08 +0200
Subject:  [net] dccp: sanity check feature length
Message-id: 483FBFFC.4070206@redhat.com
O-Subject: [kernel team] [PATCH RHEL5] BZ#447396: dccp: sanity check feature length {CVE-2008-2358}
Bugzilla: 447396
RH-Acked-by: Chris Wright <chrisw@redhat.com>
RH-Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com>
RH-Acked-by: Neil Horman <nhorman@redhat.com>

Bugzilla: 447396

Details:
      The issue is an integer overflow in DCCP options handling. This may
result in code execution allowing an attacker to execute code in a
kernel context.  At the lowest severity, it will crash the kernel
environment.

Upstream status:
      not in upstream, embargoed

Test status:
      has been tested for build and boot.
      http://brewweb.devel.redhat.com/brew/taskinfo?taskID=1338875

Notice:
      CVE-2008-2358

==

 net/dccp/feat.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/net/dccp/feat.c b/net/dccp/feat.c
index a1b0682..aceb1db 100644
--- a/net/dccp/feat.c
+++ b/net/dccp/feat.c
@@ -25,6 +25,11 @@ int dccp_feat_change(struct dccp_minisock *dmsk, u8 type, u8 feature,
 
 	dccp_pr_debug("feat change type=%d feat=%d\n", type, feature);
 
+	if (len > 3) {
+		if (net_ratelimit())
+			printk("%s: invalid length %d\n", __func__, len);
+		return -EINVAL;
+	}
 	/* XXX sanity check feat change request */
 
 	/* check if that feature is already being negotiated */